Windows 10 "Redstone3" and injection/hooking

c++ / delphi package - dll injection and api hooking

Re: Windows 10 "Redstone3" and injection/hooking

Postby madshi » Tue Sep 19, 2017 7:28 pm

iconic kindly linked to this in another thread:

https://theryuu.github.io/ifeo-mitigationoptions.txt

It seems to allow turning the "dynamic code" and "signature" policies on or off for specific exe files via registry. Supposedly this should also affect Edge, but I haven't tested it yet myself.
madshi
Site Admin
 
Posts: 9431
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 "Redstone3" and injection/hooking

Postby mediant » Sun Oct 01, 2017 12:23 pm

I think I tried both Image Execution Options and Group Policy (which can be extended to 64-bit to include ACG and such) in the past, but to no avail - Edge is created by COM+, and its mitigation settings are provided with process creation parameters. It looks like Image Execution Options and GP can only turn these settings ON.

On RS3 ACG is turned on by default for some processes beyond Edge, e.g. DllHost and some SvcHost instances. So one rather annoying issue we encountered with madCodeHook driver injection is that the driver hooks NtTestAlert, but the injected code is unable to remove that hook due to ACG, resulting in an endless initialization loop.

Any thoughts on how to "mitigate" this, so to say? Except for not using InjectLibraryOld32, obviously...
mediant
 
Posts: 2
Joined: Sun Oct 01, 2017 12:01 pm

Re: Windows 10 "Redstone3" and injection/hooking

Postby madshi » Sun Oct 01, 2017 1:00 pm

The NtTestAlert endless initialization loop problem should be fixed in the current official version (both v3 and v4). Probably you're still using an older version?
madshi
Site Admin
 
Posts: 9431
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 "Redstone3" and injection/hooking

Postby mediant » Sun Oct 01, 2017 1:58 pm

Most likely, will check. Thanks for prompt response!
mediant
 
Posts: 2
Joined: Sun Oct 01, 2017 12:01 pm

Previous

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests

cron